[Security] OAuth CSRF: state nonce is generated but never stored or verified — connect flow is vulnerable to CSRF

[MehtabSandhu11]

Summary

The /api/connect/github OAuth flow generates a nonce in the state parameter but never persists it anywhere. The callback at /api/connect/github/callback only checks that the state is base64-decodable JSON with a userId and nonce field — it never verifies that the nonce was actually issued by this server. An attacker can craft a forged state containing an arbitrary userId, complete the GitHub OAuth flow, and attach a GitHub token to any user account.

Root Cause

apps/backend/src/routes/connect.ts line 40:

// In a real app, store this in Redis to cross-check in callback
const state = JSON.stringify({
  userId: (request.user as any).id,
  nonce: generateState(),      // generated but never stored
});

Callback (line 63–68):

const decodedState = parseOAuthState(state);
if (!decodedState) { ... }
const userId = decodedState.userId;   // userId comes entirely from attacker-controlled input

There is no server-side validation that the nonce was actually issued for this user session.

Proposed Fix

1. On /api/connect/github (the initiation endpoint), store the nonce in Redis keyed by nonce value with a 10-minute TTL:

   await app.redis.set(`oauth:nonce:${nonce}`, userId, 'EX', 600);

2. On the callback, look up the nonce in Redis; reject if missing or if the stored userId doesn't match the decoded one:

   const storedUserId = await app.redis.get(`oauth:nonce:${decodedState.nonce}`);
   if (!storedUserId || storedUserId !== decodedState.userId) {
     return reply.redirect(`${process.env.PUBLIC_APP_URL}/settings?error=invalid_state`);
   }
   await app.redis.del(`oauth:nonce:${decodedState.nonce}`);

Acceptance Criteria

• Nonce is stored in Redis on initiation and consumed (deleted) on callback
• Callback rejects requests with unrecognised or mismatched nonces
• A test asserts that a forged state (valid JSON, unknown nonce) is rejected with an error redirect
• No change to happy-path UX

Please assign this issue to me under GSSoC

[Nightkilller]

Hi @MehtabSandhu11,

I would like to work on this issue under GSSoC'26.

I reviewed the OAuth flow and understand the security concern: the state nonce is generated during GitHub OAuth initiation but is never persisted or validated on callback, allowing forged state values to bypass CSRF protection.

My planned approach:

• Store the generated OAuth nonce in Redis during /api/connect/github initiation with an appropriate TTL.
• Associate the nonce with the authenticated user ID and validate both values during the callback flow.
• Reject callbacks with missing, expired, unknown, or mismatched nonces.
• Consume (delete) the nonce after successful validation to prevent replay attacks.
• Add automated tests covering:
  • successful OAuth callback with a valid nonce
  • forged state containing an unknown nonce
  • mismatched user ID and nonce combinations
  • nonce replay attempts after consumption
• Ensure there is no change to the existing happy-path user experience.

I will keep the implementation focused on the OAuth state validation flow and include the required test coverage.

Please assign this issue to me. Thank you!

[Harxhit]

@MehtabSandhu11 I have assigned this issue to you.